Why Data Professionals Should Be Careful of Internet Light Bulbs

Many of us have rejoiced by having a thermostat for our homes that can be adjusted from a cell phone at work, and we can also check the house temperature from afar. Naturally, being data professionals, we have secured these systems with secure passwords such as “password1”, or “ABC123” or perhaps a random word such as ‘monkey.’

Of interest to you may be the many websites showing the interiors of homes around the world whose Internet connected cameras are either not password protected or use common, easily guessed passwords such as password1, ABC123, or monkey.

A quick web search of the 500 most popular passwords will often include passwords that you have chosen. The time for a computer to check all 500 common passwords against your home camera system may be as long as 15 seconds depending upon the connection speed. Keep your camera pointed at your aquarium.

The seeming lack of security in cheaply purchased Internet connected objects is easily explained. Most electronic manufacturers are unaware of Internet dangers, and have more interest in making a profit from the sale rather than interest in an esoteric quality such as cyber security for the buyer.

(Notice that I did not elaborate on the vulnerability of your nude photos stored in the cloud.)

Much the same philosophy regarding security obtains, unfortunately, in many corporations, hospitals and agencies. The dangers are hard for many to understand, the effort of protection is a budgetary issue, and it is much easier just to hope that your data will not be exposed on the Internet and sold on the dark cyber market to criminals. But, as some military types have said: “Hope is not a strategy.”

The news has a nasty habit of publishing the names of companies that have been hacked, and credit bureaus are making a tidy profit by selling annual credit reports for those whose data was stolen, paid for by the hacked companies (About $200 each person), given to all patrons, employees, customers and patients who have had their personal information compromised.

Back home in the corporate data sphere, it is seldom the data analysts who are blamed for massive data theft. So while you are, for now, somewhat safe, it would be helpful if you could point out to the cyber security folks in your company which servers and systems held the most sensitive information so they could arrange better protection for those systems.

The cyber security folk and your organization are now tasked with protecting the entire enterprise network from all the adversities in the world. This “protect everything all the same” seems like a simple and effective strategy, except that your network is huge, the openings to the global Internet numerous, the enemy devious, your budget limited, and employees often clueless. Sensitive servers need special protection.

Web servers also need greater protection; they often need access to confidential price lists, and can query customer password records, all of which may reside in the production network environment. The reality is your web pages are often developed by summer interns who have never taken any training in security coding and often leave the passwords within the hidden text on the web pages. (This “hidden” text is exposed with a user keystroke.) Further, many web developers, faced with dozens of possible internal passwords, use the same password for everything, or just leave the default passwords. These default passwords are often the word “password” or “admin”. Web servers often send requests to data servers through the firewall. Do you see a problem here?

So we’ve come back to that password problem again. This is especially difficult when multiple people over long periods need to access the same sensitive application or devices. Unfortunately, this is all too often done informally by using a spreadsheet in somebody’s computer or yellow sticky notes pasted to the side of the monitor. In reality keeping track of dozens, actually hundreds of different passwords and passphrases, is a full-time job and requires special tools. There are some very good cyber security tools that easily manage admin passwords and securely automate access. You might inquire as to whom in your enterprise is in charge of those tools. (Crickets?)

Since it is difficult to keep systems secure, and difficult to keep passwords complex and yet usable, it might be well to prepare for hackers infiltrating your network. Thus, especially sensitive data needs special protection. Encryption is one way to do this, but your security folks will know other options.

If your most sensitive information has extra layers of protection, then when the network is compromised, the criminal hackers do not get your most sensitive data. Interestingly it would be your job to tell the security people where the most sensitive data resides. (You have that all mapped out-right?)

And would be a good idea to put serious passwords on your color-changing light bulb and network attached thermostat.

About the author

David Schlesinger, CISSP, brings 27 years of experience in information technology and data security management to data security. He is certified in cybersecurity and is a past president of the Phoenix ISSA, a security professional association. David has authored two US Patents for data governance methods that use Metadata classifications to audit and automate user rights and regulatory compliance. His book on finding hidden security and governance gaps in an enterprise, The Hidden Corporation, is published by Technics Publications.